The Banking and Financial Institutions (Internal Control and Internal Audit)

G. N. No. 286

ISSN 0856 – 034X

Supplement No. 33 22nd August, 2014

SUDSIDIARY LEGISLATION
To the Gazette of the United Republic of Tanzania No. 34 Vol. 95 Dated 22nd August, 2014

Printed by the Government Printer, Dar es Salaam by order of Government

GOVERNMENT NOTICE NO. 286 published on 22/08/2014

THE BANKING AND FINANCIAL INSTITUTIONS (INTERNAL CONTROL

AND INTERNAL AUDIT) REGULATIONS, 2014
ARRANGEMENT OF REGULATIONS

Regulation Title

PART I
PRELIMINARY PROVISIONS

1. Citation.
2. Application.
3. Interpretation.
4. Objectives.
PART II
CORPORATE GOVERNANCE

5. Corporate governance framework.

6. Responsibilities of Board of Directors.
7. Establishment and responsibilities of audit committee.
8. Responsibilities of senior management.

PART III
SYSTEM OF INTERNAL CONTROLS

9. Establishment of system of internal controls.

10. Objectives of the system of internal controls.
11. Risk identification and assessment.
12. Control activities and segregation of duties.

1
 The Banking and Financial Institutions (Internal Control and Internal Audit)
G. N. No. 286

13. Information and communication.

14. Monitoring activities and correcting deficiencies.
15. Annual review of system of internal controls.

2
 The Banking and Financial Institutions (Internal Control and Internal Audit)
G. N. No. 286

PART IV
INTERNAL AUDIT

16. Appointment of the internal auditor.

17. Qualifications of the internal auditor.
18. Reporting by Internal Auditor.
19. Independence of the Internal Auditor.
20. Audit charter.
21. Duties of the Internal Auditor.
22. Audit plan.
23. Outsourcing internal audit function.
24. Duty to inform the Internal Auditor.

PART V
GENERAL PROVISIONS

25. Reporting to the Bank.

26. Sanctions.
27. Revocation.
________

SCHEDULE
________

3
 The Banking and Financial Institutions (Internal Control and Internal Audit)
G. N. No. 286

THE BANKING AND FINANCIAL INSTITUTIONS ACT

(CAP 342)
______

REGULATIONS
______

Made under section 71

_____

THE BANKING AND FINANCIAL INSTITUTIONS (INTERNAL CONTROL

AND INTERNAL AUDIT) REGULATIONS, 2014

PART I
PRELIMINARY PROVISIONS

Citation 1. These Regulations may be cited as the Banking and

Financial Institutions (Internal Control and Internal Audit)
Regulations, 2014.

Application 2. These regulations shall apply to all banks and financial

institutions.

Interpretation 3. In these Regulations unless the context otherwise

requires-
“Act” means the Banking and Financial Institutions Act;
“Bank ” means Bank of Tanzania;
“bank” has the meaning ascribed to it in the Act;
“director” has the meaning ascribed to it in the Act;
“financial institution” has the meaning ascribed to it in the Act;
“independent director” means a director who-
(a) does not hold any executive or management position
in a bank or financial institution;
(b) does not have, directly or indirectly, a significant
interest in the bank or financial institution including
any parent or subsidiary in a consolidated group with
the bank or financial institution;
(c) has not been employed by the bank or financial
institution or a banking group of which he currently
forms part in any executive capacity for the
preceding three years;

4
 The Banking and Financial Institutions (Internal Control and Internal Audit)
G. N. No. 286

(d) is not a member of the family of an individual who

is, or has been in any of the past three years,
employed by the bank or financial institution or the
banking group in an executive capacity;
(e) is not a professional advisor to the bank or financial
institution or the banking group;
(f) is free from any business or other relationship which
seems to interfere with the individual's capacity to
act in an independent manner; and
(g) does not receive remuneration contingent upon the
performance of the bank or financial institution;
“internal audit” means an independent, objective assurance and
consulting activity, oriented to add value and bring in a
systematic and disciplined approach to evaluate and
improve the effectiveness of risk management, control
and governance processes;
“intenal auditor” means a person who is heading the internal
audit function of a bank or financial institution;
“internal control” means a concerted action of the Board of
Directors, senior management and all levels of personnel,
designed to provide reasonable assurance regarding the
achievement of objectives, the effectiveness and efficiency
of operations and the reliability of financial reporting and
compliance with applicable laws, regulations and internal
policies;
“internal controls” means policies and procedures established
and implemented individually or with other policies or
procedures, to manage and control a particular risk or
business activity, or combination of risks or business
activities, to which the bank or financial institution is
exposed or in which it is engaged; and
“non-executive director” means a director who does not hold
any executive or management position in a bank or
financial institution.

Objectives 4. The objectives of these Regulations are to ensure

that-
(a) banks and financial institutions establish effective
systems of internal controls to promote the safety
and soundness of their operations; and
(b) there exists an effective internal audit function

5
 The Banking and Financial Institutions (Internal Control and Internal Audit)
G. N. No. 286

responsible for independent evaluation of the

effectiveness of the system of internal controls.

PART II
CORPORATE GOVERNANCE
Corporate 5.-(1) A bank or financial institution shall establish an
governance effective corporate governance framework which defines the
framework
character of the institution and promotes an organizational culture
that provide the foundation for effective internal control and
internal audit.
(2) The corporate governance framework referred to in
sub-regulation (1) shall, at a minimum, include the following-
(a) duties of the Board of Directors including
responsibility for business and risk strategy,
organisation, financial soundness and governance;
(b) duties of senior management including responsibility
to ensure that the bank’s or financial institution’s
activities are consistent with the business strategy,
risk tolerance or appetite and policies approved by
the board;
(c) organization structure that facilitates effective
decision making and good governance, with clear
lines of responsibility and accountability;
(d) effective risk management, compliance and internal
audit functions, each with sufficient authority,
stature, independence, resources and access to the
board; and
(e) system of internal controls consistent with the size,
complexity and nature of the bank’s or financial
institution’s operations.

Responsibilities 6.-(1) The Board of Directors shall be responsible for

of Board of ensuring that an adequate, effective and efficient system of
Directors
internal controls and internal audit function are established and
maintained.

(2) The Board of Directors shall, in exercising its

responsibilities stipulated under sub-regulation (1)-
(a) promote high ethical and integrity standards, and

6
 The Banking and Financial Institutions (Internal Control and Internal Audit)
G. N. No. 286

establish a culture within the organization that

emphasizes and demonstrates to all levels of
personnel the importance of internal controls;
(b) approve and review, at least annually, the overall
business strategies and all significant policies of the
bank or financial institution;
(c) understand major risks facing the bank or financial
institution and set acceptable levels for those risks
and ensure that senior management takes the steps
necessary to identify, measure, monitor and control
the risks;
(d) approve the organisational structure;
(e) ensure that senior management monitors the
effectiveness of the system of internal controls; and
(f) review at least annually the effectiveness of the
system of internal controls and internal audit
function.
(3) The strategies and policies referred to under sub-
regulation (2) shall be submitted to the Bank not later than thirty
days after being approved by the Board,
provided that where any changes are made to the strategies and
policies, the bank or financial institution shall clearly indicate
areas of such changes.

Establishment 7.-(1) The Board of Directors shall establish an Audit

and Committee of the board responsible for providing oversight of
responsibilities
of audit the financial reporting and system of internal controls, audit
committee process and compliance with legal and regulatory requirements.
(2) The audit committee shall, in exercising the
responsibility stipulated under sub-regulation (1), carry out the
duties specified in the Schedule to these Regulations.
(3) The audit committee shall be composed of at least
three non-executive directors, two of whom shall be independent
members having accounting, auditing or related financial
management experience.
(4) The audit committee of a bank or financial institution
shall report to the Board of Directors at least quarterly.

Responsibilities 8.-(1) The senior management of a bank or financial

of senior

7
 The Banking and Financial Institutions (Internal Control and Internal Audit)
G. N. No. 286

management institution shall be responsible for implementing strategies and

policies approved by the Board of Directors and for establishing
an effective system of internal controls.
(2) In exercising the responsibilities stipulated under
subregulation (1), senior management shall-
(a) establish organizational and procedural controls;
(b) develop processes that identify, measure, monitor and
control risks;
(c) maintain an organisational structure that clearly assigns
responsibility, authority and reporting relationships;
(d) ensure that delegated responsibilities are effectively
carried out;
(e) ensure that all personnel understand their roles in the
internal control process and adhere to policies and
procedures affecting their duties and responsibilities;
(f) ensure that outsourced services do not jeopardize the
system of internal controls; and

(g) monitor the adequacy and effectiveness of the system of

internal controls.

PART III
SYSTEM OF INTERNAL CONTROLS

Establishment 9. A bank or financial institution shall establish an

of system of effective system of internal controls consisting of the following
internal
controls elements-
(a) management oversight and the control culture;
(b) risk identification and assessment;
(c) control activities and segregation of duties;
(d) information and communication; and
(e) monitoring activities and correcting deficiencies.

Objectives of 10.-(1) The system of internal controls referred to under

the system of regulation 9 shall-
internal
controls
(a) promote the efficiency and effectiveness of activities
and measures that protect the bank or financial
institution from loss;

8
 The Banking and Financial Institutions (Internal Control and Internal Audit)
G. N. No. 286

(b) ensure the relevance, reliability, completeness and

timeliness of financial and management information;
(c) ensure compliance with applicable laws and
regulations;
(d) reduce fraud, misappropiation and errors, and
mitigate other risks faced by the institution;
(e) identify the relative risks of each area of activity of
the bank or financial institution; and
(f) assist the bank or financial institution to allocate
appropriate amounts of time and resources on the
higher risk areas.

Risk 11.- (1) A bank or financial institution shall ensure that

identification its system of internal controls is designed in a manner that it can
and assessment
identify and continually assess all material risks.

(2) The material risks under sub-regulation (1) shall, at a

minimum, include credit, liquidity, market, operational, strategic
and compliance risks.

Control 12. A bank or financial institution shall-

activities and (a) establish an appropriate control structure, with
segregation of
duties control activities defined at every business level
including-
(i) top level reviews;
(ii) appropriate activity controls for different
departments or divisions;
(iii) physical controls;
(iv) assess compliance with exposure limits and
follow-up on cases of non-compliance;
(v) a system of approvals and authorizations;
(vi) a system of verification and reconciliation;
and
(b) allocate and assign its personnel with duties and
responsibilities that are not conflicting and ensure
that areas of potential conflict are identified,
minimized, and subject to careful and independent
monitoring.

Information and 13.-(1) A bank or financial institution shall-

9
 The Banking and Financial Institutions (Internal Control and Internal Audit)
G. N. No. 286

communication
(a) establish an effective management information
system to collect, record and retain adequate and
comprehensive financial and non-financial
information relevant for decision making; and

(b) establish effective channels of communication to

ensure that staff fully understand and adhere to
policies and procedures affecting their duties and
responsibilities and other relevant information is
communicated to the appropriate personnel.

(2) The management information system referred to under

sub-regulation (1) shall cover all operations of the
bank or financial institution and shall be secure,
monitored independently and supported by adequate
contingency arrangements.

Monitoring 14.-(1) A bank or financial institution shall ensure that

activities and the overall effectiveness of its internal controls is monitored on
correcting
deficiencies an ongoing basis through periodic evaluations and reviews
carried out by its business lines and the internal auditor.
(2) Where internal control deficiencies are identified by
business lines, internal audit, or other control personnel, such
deficiencies shall be reported timely to senior management and
the Board of Directors and shall be addressed promptly.

Annual review 15. A bank or financial institution shall review its system
of system of of internal controls least once annually to assess its effectiveness
internal
controls and appropriately address any new or previously uncontrolled
risks.

PART IV
INTERNAL AUDIT

Appointment 16.-(1) A bank or financial institution shall appoint an

of the internal internal auditor whose function shall be to evaluate the
auditor
effectiveness of the system of internal controls, risk management
framework and governance processes.
(2) A bank or financial institution shall not appoint any

10
 The Banking and Financial Institutions (Internal Control and Internal Audit)
G. N. No. 286

person to hold the post of internal auditor without obtaining prior

approval of the Bank.
(3) A bank or financial institution shall, where the post of
the internal auditor falls vacant, notify the Bank in writing within
seven days from the date the position falls vacant.
(4) The post of internal auditor shall be deemed to be
vacant due to dismissal, resignation, incapacity or any other
reason.

Qualifications 17.-(1) The internal auditor of a bank or financial

of the internal institution shall be a Certified Public Accountant or its equivalent
auditor
and be registered with the National Board of Accountants and
Auditors.

(2) The Internal Auditor of a bank or financial institution

shall be a person who has at least three years’ experience in the
regular audit as internal or external auditor.

Reporting by 18.-(1) The Internal Auditor shall report to the Audit

Internal Committee or the Board of Directors.
Auditor
(2) The reports of the Internal Auditor shall contain audit
findings, recommendations and responses of senior management.

(3) The reports and working papers of the Internal Auditor

shall be kept for at least five years.

Independence 19.-(1) The Board of Directors shall ensure that the

of the Internal Internal Auditor is independent and competent staff and resources
Auditor
are available for the adequate performance of his functions and
duties.
(2) The Internal Auditor shall, at least annually, confirm
to the Board of Directors the status of organizational independence
of the internal audit function, including adequacy of resources and
any limitations of scope.
(3) The Internal Auditor shall refrain from auditing
specific operations which he was previously involved.

11
 The Banking and Financial Institutions (Internal Control and Internal Audit)
G. N. No. 286

Audit 20.-(1) A bank or financial institution shall have a

charter written audit charter stating the purpose, standing and
authority of the internal audit function.
(2) Where any changes are made to the audit charter,
the revised charter clearly indicating areas of change shall be
submitted to the Bank not later than thirty days after its
approval by the Board.
(3) The audit charter shall be approved by the Board
of Directors.
(4) At a minimum, the internal audit charter shall-
(a) provide the objectives and scope of the internal
audit function;
(b) state the Internal Auditor’s position within the
organization, his powers, responsibilities,
accountability and relations with other control
functions;
(c) mandate the Internal Auditor with the right of
initiative and authority to have direct access to and
communicate with any member of staff, to
examine any activity of the institution and access
any records, files or data of the institution;
(d) establish the Internal Auditor’s authority to
communicate directly to the Board of Directors,
the audit committee, the external auditors and
where appropriate to the Bank;
(e) specify the terms and conditions according to
which the Internal Auditor can be called upon to
provide advisory services or perform other special
tasks;
(f) outline the criteria for outsourcing the internal
audit function;
(g) provide for requirement to comply with sound
internal auditing standards;
(h) establish procedures for the coordination of the
internal audit function with the external auditor;
and
(i) establish an annual independent review of the
internal audit function, which may be carried out
by the external auditor, the audit committee or any
other independent party.

12
 The Banking and Financial Institutions (Internal Control and Internal Audit)
G. N. No. 286

Duties of 21.-(1) The duties of the Internal Auditor shall include

the Internal to-
Auditor
(a) ensure that internal audit complies with sound
internal auditing standards and with a relevant
code of ethics;
(b) examine and evaluate the adequacy and
effectiveness of the system of internal controls;
(c) review the application and effectiveness of risk
management procedures and risk assessment
methodologies;
(d) review the adequacy of management information
system;
(e) review the accuracy and reliability of the
accounting records and financial reports;
(f) review the system of assessing capital in relation
to assessment and estimation of risks;
(g) assess the efficiency of the usage of resources;
(h) review the system established to ensure
compliance with legal and regulatory
requirements, codes of conduct and the
implementation of policies and procedures;
(i) test the reliability and timeliness of the
regulatory reporting; and
(j) carry out special investigations.
Audit plan 22. -(1) The Internal Auditor shall prepare an annual
plan for the assignments to be performed during the next
financial year and present that plan to the audit committee for
review and to the Board of Directors for approval not later than
31st December each year.
(2) A bank or financial institution shall submit its
annual audit plan to the Bank not later than 15th January each
year.
(3) The annual audit plan referred to under sub-
regulation (1) shall include-
(a) the timing and frequency of planned internal audit
work;
(b) an evaluation of internal controls and on a written
assessment of material risks;
(c) details of the necessary resources in terms of

13
 The Banking and Financial Institutions (Internal Control and Internal Audit)
G. N. No. 286

personnel and other resources; and

(d) the time allocated for training.
(4) The Internal Auditor shall report to the Board of
Directors and obtain approval for any changes in the audit
plan, and submit a copy of the revised audit plan to the Bank
within fourteen days after approval by the Board of Directors.

Outsourcing 23.-(1) A bank or financial institution shall not

internal outsource its internal audit function without the prior approval
audit
function of the Bank.
(2) Where a bank or financial institution outsources its
internal audit function, the Board of Directors shall remain
ultimately responsible for ensuring that the system of internal
controls and the internal audit are adequate and operate
effectively.

Duty to 24. Senior management of a bank or financial

inform the institution shall ensure that the Internal Auditor is informed of
Internal
Auditor new developments, initiatives, products and operational
changes for purposes of early identification of all associated
risks.

PART V
GENERAL PROVISIONS

Reporting 25.-(1) A bank or financial institution shall submit to

to the Bank the Bank an audit report and minutes of the meeting of the
Audit Committee or Board of Directors which discussed the
audit report.

(2) The report referred to under sub-regulation (1) shall

be submitted not later thany forty five days after the end of the
quarter.
(3) Notwithstandig the provisions of sub-regulation
(1), the Internal Auditor of a bank or financial institution shall
immediately report to the Bank any significant audit findings
including fraud, misappropriation, errors, ommission or any
other significant irregularities uncovered in the course of
audit.

14
 The Banking and Financial Institutions (Internal Control and Internal Audit)
G. N. No. 286

(4) The report submitted to the Bank shall contain a

summary of significant audit findings referred to under sub-
regulation (3) and remedial actions taken by senior
management to rectify such findings.

(5) For the purpose of sub-regulation (3), significant

audit findings are the findings which have an adverse impact
on the financial performance and condition of a bank or
financial institution.

Sanctions 26.-(1) Without prejudice to penalties and actions

prescribed by Act, the Bank may impose on any bank or
financial institution any of the following sanctions for non-
compliance-
(a) a penalty of the amount to be determined by the
Bank;

(b) suspension from office of the defaulting director,

officer or employee; and
(c) disqualification of the defaulting director, officer
or employee from holding any position or office in
any bank or financial institution under the
supervision of the Bank.

(2) The penalty referred to in paragraph (a) of sub

regulation (1) shall apply to directors, officers or employees of
the bank or financial institution.

Revocation 27. The Banking and Financial Institutions (Internal

of GN No. Control and Internal Audit) Regulations, 2005 are hereby
79
of 2005 revoked.

15
 The Banking and Financial Institutions (Internal Control and Internal Audit)
G. N. No. 286

______
SCHEDULE
_______

(Made under Regulation 7)

_______

DUTIES AND RESPONSIBILITIES OF BOARD AUDIT COMMITTEE

The main areas of responsibility of the audit committee are listed below by broad categories:

Financial reporting, including disclosures

1. Monitoring the financial reporting process and its output;

2. Overseeing the establishment of accounting policies and practices by the bank or financial
institution and reviewing the significant qualitative aspects of the bank's accounting practices,
including accounting estimates and financial statement disclosures;

3. Monitoring the integrity of the bank’s or financial institution’s financial statements and any
formal announcements relating to the bank’s or financial institution’s financial performance;

4. Reviewing significant financial reporting judgments contained in the financial statements; and

5. Reviewing arrangements by which staff of the bank or financial institution may confidentially
raise concerns about possible improprieties in matters of financial reporting.

Internal control

6. Ensuring that senior management establishes and maintains an adequate and effective internal
control framework. Such framework should be designed to provide assurance in areas
including reporting (financial, operational, risk), monitoring compliance with laws, regulations
and internal policies, efficiency and effectiveness of operations and safeguarding of assets.

Internal audit

7. Monitoring and reviewing the effectiveness of the bank’s or financial institution’s internal
audit function;

8. Approving the internal audit plan, scope, cycle and budget;

9. Reviewing and discussing internal audit reports;

10. Ensuring that the internal audit function maintains open communication with senior
management, external auditors, the supervisory authority, and the audit committee;

11. Reviewing discoveries of fraud and violations of laws and regulations as raised by the Internal
Auditor;

16
 The Banking and Financial Institutions (Internal Control and Internal Audit)
G. N. No. 286

12. Reviewing the audit charter and the code of ethics of the internal audit function;

13. Approving, or recommending to the board for its approval, the annual remuneration of the
internal audit function as a whole, including the Internal Auditor; and

14. Approving, or recommending to the board for its approval, the appointment, reappointment or
removal of the Internal Auditor.

External auditor

Appointment, reappointment, dismissal and remuneration

15. Approving a set of appropriate objective criteria for selecting the external audit firm of the
bank or financial institution;

16. Approving, or recommending to the board or shareholders for their approval, the appointment,
re-appointment and removal of the external audit firm; and

17. Approving the remuneration and terms of engagement of the external audit firm.

Compliance with relevant ethical requirements, in particular independence and objectivity

18. Reviewing and monitoring the independence of the r external audit firm, and in particular the
provision of additional services to the bank or financial institution, including the related
safeguards that have been applied to eliminate identified threats to independence or reduce
them to an acceptable level;

19. Reviewing and monitoring the external auditor's objectivity and the effectiveness of the audit
process;

20. Developing and implementing a policy on the engagement of the external audit firm for the
supply of non-audit services, taking into account relevant ethical guidelines on the provision
of non-audit services by the external audit firm;

21. Approving the total fees charged for the audit of the financial statements and for non-audit
services provided by the external audit firm and external audit network firms to the entity and
its components controlled by the entity.

22. Overseeing the external audit of the annual and consolidated accounts;

23. Discussing with the external audit firm key matters arising from the external audit, and in
particular any identified material weaknesses in internal controls in relation to the financial
reporting process; and

24. Discussing the written representations the external audit firm is requesting from senior
management and, where appropriate, those charged with governance;

17
 The Banking and Financial Institutions (Internal Control and Internal Audit)
G. N. No. 286

Remedial actions

25. Ensuring that senior management is taking necessary corrective actions to address the findings
and recommendations of internal auditors and external auditors in a timely manner;

26. Addressing control weaknesses, non-compliance with policies, laws and regulations and other
problems identified by internal auditors and external auditors, and

27. Ensuring that deficiencies identified by supervisory authorities related to the internal audit
function are remedied within an appropriate time frame and reporting to the board of directors
on the progress of necessary corrective actions.

Dar es Salaam, BENNO J. NDULU

……………………, 2014 Governor

18